Xanlar Agamalizade

**Name of the Vulnerable Software and Affected Versions** OpenClaude versions prior to 0.5.1 **Description** The MCP authentication flow starts a temporary local HTTP server to handle OAuth callbacks. To prevent Cross-Site Request Forgery (CSRF) attacks, the server validates a `state` parameter against an internally stored value. A logic flaw in the order of conditionals allows an attacker to bypass this check by providing an `error` query parameter in the request. When the `error` parameter is present, the CSRF validation is skipped, and the server executes a cleanup function that shuts down the local server and terminates the user's active authentication session, resulting in a Denial of Service (DoS). **Recommendations** Update to version 0.5.1.